Random thoughts and technical bits

Breaking out a SSO/PSC to enable enhanced linked mode

The single sign on used to be a fairly painless portion of vCenter (once we got to 5.5, in 5.0 it was a major pain). It was essentially a lightweight directory (vsphere.local) and gateway to active directory. The platform services controller (PSC) of vCenter 6 is a completely different animal. It performs a lot of new functions that are not easy to transfer between instances. For example the PSC does the following:

Handles and stores SSL certificates

Handles and stores license keys

Handles and stores permissions via global permissions layer

Handles and stores replication of Tags and Catagories

Built in automation replication between different sites

Why does it do all these and why do I care?

Well VMware has come to understand that virtual machines cannot be bound to a specific location more and more customer want Hybrid and multi-site capabilities while keeping the same management. A lot of the management functions are based around Tags and permissions have a over arching layer to provide that functionality is huge. I assume that we are going to see more features passed up to the PSC layer in order to make cross site/ vCenter features available.

Architectural change

In 6.0 VMware changed the architecture to have external PSC’s as a preferred mode of operation. In fact they support up to 8 replicated PSC’s and they have two constructs that matter:

Domain (traditionally this has been vsphere.local)

Sites (Physical locations)

Site designation changes how the PSC’s and their multi-masters replicate (choosing to replicate to a single instance at each site then have that instance replicate to local nodes)

The change to external PSC’s is a challenge for many users. First let me be clear about a challenge you can only have one domain: merging domains is not supported. Once you get to 6 you cannot leave a domain and join a different domain I have not seen instructions to do it and it does not seem to be supported. In 5 you can leave a SSO domain and join a different domain so if you are still on 5 and wish to join multiple machines to the same domain do it while on 5 using SSO. If you wish to move from an embeded PSC to an external PSC the process is pretty simple:

Install a new PSC (can be windows or Linux) joined to the embedded PSC

About Author

Joseph Griffiths is a virtualization focused solutions architect who works with complex cloud based solutions. He currently holds many IT certifications including VMware VCDX-DCV and VCDX-CMA #143. This blog represents his random technical notes and thoughts. The thoughts expressed here do not reflect Joseph’s current employer in anyway. You can follow Joseph on Twitter @Gortees